verifying functional correctness of message passing
play

Verifying functional correctness of message-passing programs in Coq - PowerPoint PPT Presentation

Nov 28, 2023 •342 likes •601 views

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1 Type checking message-passing programs

  1. Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1

  2. Type checking message-passing programs using session types Example program: let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in send c ′ ( x + 2) } ; send c 40; recv c Session types: c ′ : ? N . ! N . end c : ! N . ? N . end and Properties obtained: ✓ Type safety / session fidelity � � ✗ Functional correctness 2

  3. How to prove functional correctness of message-passing programs Combine ◮ Session Types [ Honda et al., ESOP’98 ] ◮ Type system for channels ◮ Example: ! N . ? N . end ◮ Ensures safety automatically through static type checking ◮ Concurrent Separation Logic [ O’Hearn & Brooks, CONCUR’04 ] ◮ Logic for reasoning about concurrent programs with mutable state. ◮ Example: { x �→ a ∗ y �→ b } swap x y { x �→ b ∗ y �→ a } ◮ Establish functional correctness through interactive or semi-automated proofs 3

  4. Actris [Kastberg Hinrichsen, Bengtson, Krebbers; POPL’20] A concurrent separation logic for proving functional correctness of programs that combine message passing with other programming and concurrency paradigms ◮ New notion of dependent separation protocols for reasoning about message passing in separation logic ◮ Integration with Iris and its existing concurrency mechanisms ◮ Verification of feature-complete programs including a variant of map-reduce ◮ A full mechanization of all of the above in Coq with tactics for interactive program proofs 4

  5. Dependent separation protocols Dependent separation protocols: Session types: Example: Example: ! ( x : N) � x � { 10 < x } . ? � x + 2 � { True } . end ! N . ? N . end 5

  6. Dependent separation protocols Dependent separation protocols: Session types: Example: Example: ! ( x : N) � x � { 10 < x } . ? � x + 2 � { True } . end ! N . ? N . end Protocols: Protocols: prot � ! � st � ! T . st x : � τ � v � { P } . prot | ? � x : � τ � v � { P } . prot | ? T . st | end | end 5

  7. Dependent separation protocols Dependent separation protocols: Session types: Example: Example: ! ( x : N) � x � { 10 < x } . ? � x + 2 � { True } . end ! N . ? N . end Protocols: Protocols: prot � ! � st � ! T . st x : � τ � v � { P } . prot | ? � x : � τ � v � { P } . prot | ? T . st | end | end Duality: Duality: ! � x : � τ � v � { P } . prot = ? � x : � τ � v � { P } . prot ! T . st = ? T . st ? � x : � τ � v � { P } . prot = ! � x : � τ � v � { P } . prot ? T . st = ! T . st end = end end = end 5

  8. Proof rules for dependent separation protocols Dependent separation protocols: Session types: { True } new chan () newchan () : st ⊗ st { ( c , c ′ ) . c ֌ prot ∗ c ′ ֌ prot } { c ֌ ! � τ � v � { P } . prot ∗ P [ � x ] } x : � t /� send c ( v [ � send : ( ! T . st ⊗ T ) ⊸ st t /� x ]) { c ֌ prot [ � x ] } t /� { c ֌ ? � x : � τ � v � { P } . prot } recv : ? T . st ⊸ ( T ⊗ st ) recv c { w . ∃ � t . ( w = v [ � x ]) ∗ c ֌ prot [ � x ] ∗ P [ � x ] } t /� t /� t /� 6

  9. Example – Dependency between messages Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in send c ′ ( x + 2) } ; send c 40; recv c { w . w = 42 } 7

  10. Example – Dependency between messages Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in send c ′ ( x + 2) } ; send c 40; recv c { w . w = 42 } Dependent separation protocols: c ֌ ! ( x : N) � x � { True } . ? � x + 2 � { True } . end c ′ ֌ ? ( x : N) � x � { True } . ! � x + 2 � { True } . end 7

  11. Example – Dependency between messages Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in send c ′ ( x + 2) } ; send c 40; recv c { w . w = 42 } Dependent separation protocols: c ֌ ! ( x : N) � x � { True } . ? � x + 2 � { True } . end c ′ ֌ ? ( x : N) � x � { True } . ! � x + 2 � { True } . end Properties obtained: ✓ Type safety / session fidelity � ✓ Functional correctness � 7

  12. Example – References Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in x ← (! x + 2); send c ′ () } ; let y = ref (40) in send c y ; recv c ; ! y { w . w = 42 } 8

  13. Example – References Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in x ← (! x + 2); send c ′ () } ; let y = ref (40) in send c y ; recv c ; ! y { w . w = 42 } Dependent separation protocols: c ֌ ! ( ℓ : Loc)( x : N) � ℓ � { ℓ �→ n } . ? � () � { ℓ �→ ( x + 2) } . end c ′ ֌ ? ( ℓ : Loc)( x : N) � ℓ � { ℓ �→ n } . ! � () � { ℓ �→ ( x + 2) } . end 8

  14. Example – References Example program: { True } let ( c , c ′ ) = new chan () in fork { let x = recv c ′ in x ← (! x + 2); send c ′ () } ; let y = ref (40) in send c y ; recv c ; ! y { w . w = 42 } Dependent separation protocols: c ֌ ! ( ℓ : Loc)( x : N) � ℓ � { ℓ �→ n } . ? � () � { ℓ �→ ( x + 2) } . end c ′ ֌ ? ( ℓ : Loc)( x : N) � ℓ � { ℓ �→ n } . ! � () � { ℓ �→ ( x + 2) } . end Properties obtained: ✓ Type safety / session fidelity � ✓ Functional correctness � 8

  15. Soundness of Actris If { True } e { v . φ ( v ) } is provable in Actris then: ✓ Type safety/session fidelity: e will not crash and not send wrong messages � ✓ Functional correctness: If e terminates with v , the postcondition φ ( v ) holds � 9

  16. Soundness of Actris If { True } e { v . φ ( v ) } is provable in Actris then: ✓ Type safety/session fidelity: e will not crash and not send wrong messages � ✓ Functional correctness: If e terminates with v , the postcondition φ ( v ) holds � Obtained by modeling Actris as an embedded domain-specific logic in Iris 9

  17. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq 10

  18. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq ◮ Powerful: supports reasoning about intricate concurrent programs 10

  19. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq ◮ Powerful: supports reasoning about intricate concurrent programs ◮ General: unifies the reasoning principles in many other logics 10

  20. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq ◮ Powerful: supports reasoning about intricate concurrent programs ◮ General: unifies the reasoning principles in many other logics ◮ Language-independent: parameterized by the language 10

  21. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq ◮ Powerful: supports reasoning about intricate concurrent programs ◮ General: unifies the reasoning principles in many other logics ◮ Language-independent: parameterized by the language ◮ Modeling logics: can be used to model domain-specific logics 10

  22. Iris [Jung, Krebbers et al.; POPL’15, ICFP’16, ESOP’17, JFP’18] A powerful, general, language-independent, framework for modeling your own domain specific higher-order separation logics with powerful tactics in Coq ◮ Powerful: supports reasoning about intricate concurrent programs ◮ General: unifies the reasoning principles in many other logics ◮ Language-independent: parameterized by the language ◮ Modeling logics: can be used to model domain-specific logics ◮ Tactics in Coq: for interactive correctness proofs of programs 10

  23. Implementation and model of Actris in Iris Approach: ◮ Implement new chan , send , and recv as a library using lock-protected buffers ◮ Define c ֌ prot using Iris’s invariant and ghost state machinery ◮ Prove Actris’s proof rules as lemmas in Iris 11

  24. Implementation and model of Actris in Iris Approach: ◮ Implement new chan , send , and recv as a library using lock-protected buffers ◮ Define c ֌ prot using Iris’s invariant and ghost state machinery ◮ Prove Actris’s proof rules as lemmas in Iris Benefits: ✓ Can readily reuse all powerful reasoning mechanisms of Iris � ✓ Can readily reuse Iris’s support for interactive proofs in Coq � ✓ Actris’s soundness result is a corollary of Iris’s soundness � ✓ Very small Coq mechanization � (200 lines for channel implementation and proofs, 1000 lines for the definition and proof rules of c ֌ prot , 450 lines for Coq tactics specific for message passing) 11

  25. Demo in Coq 12

Recommend

MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By using MPI you obtain portable programs MPI is based on earlier message passing libraries Lecture 7: NX, MPL, PVM, P4, TCGMSH, PARMACS, ...

360 views • 9 slides
Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the notion of processes can think of a process as an instance of a running program, together with the programs data In the message passing model,

601 views • 16 slides
Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI? Message Passing Programming with MPI 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations.

1.61k views • 113 slides
Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will cover message passing model SPMD communication modes collective communications Programming Models Message-Passing Serial Programming

406 views • 28 slides
Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1 Message Passing Programming with MPI 2 MPI Forum Goals and Scope of MPI First message-passing interface standard. MPIs prime goals are:

511 views • 29 slides
COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

Topic 4.3: Message Passing COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic 4.3: Message Passing Background Synchronous Message Passing Asynchronous Message Passing Channel Selection Topic 4.3:

382 views • 36 slides
Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in

Fault Tolerance in Message Passing Fault Tolerance in Message Passing and in Action and in Action Jack Dongarra, Innovative Computing Laboratory University of Tennessee and Computer Science and Mathematics Division Oak Ridge National

422 views • 14 slides
Distributed Objects Message Passing vs. Distributed Objects Message Passing versus Distributed

Distributed Objects Message Passing vs. Distributed Objects Message Passing versus Distributed

Distributed Objects Message Passing vs. Distributed Objects Message Passing versus Distributed Objects The message-passing paradigm is a natural model for distributed computing, in the sense that it mimics interhuman communications. It is

901 views • 58 slides
+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles

+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles

+ Design of Parallel Algorithms Introduction to the Message Passing Interface MPI + Principles of Message-Passing Programming n The logical view of a machine supporting the message-passing paradigm consists of p processes, each with its own

683 views • 39 slides
Message Passing Programming Introduction to MPI What is MPI? MPI Forum First

Message Passing Programming Introduction to MPI What is MPI? MPI Forum First

Message Passing Programming Introduction to MPI What is MPI? MPI Forum First message-passing interface standard. Sixty people from forty different organisations. Users and vendors represented, from the US and Europe. Two-year

526 views • 18 slides
Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro:

Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro:

Lecture 5: Message Passing &amp; Other Communication Mechanisms (SR &amp; Java) Intro: Synchronous &amp; Asynchronous Message Passing Types of Processes in Message Passing Examples Asynchronous Sorting Network Filter (SR)

914 views • 50 slides
+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1 Verifying the Correctness of HARPO Programs Presented at NECEC 2018, St. Johns NL Inaam Ahmed Computer Engineering Research Labs, Dept. ECE, MUN

492 views • 23 slides
Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface

Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface

Message Passing Programming Introduction to MPI What is MPI? 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations. Users and vendors represented, from the US and Europe. Two-year

302 views • 18 slides
CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message

CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message

CSL 860: Modern Parallel Computation Computation MPI: MESSAGE PASSING INTERFACE Message Passing Model Process (program counter, address space) Multiple threads (pc, stacks) MPI is for inter-process communication Process creation

546 views • 53 slides
Divergence measures and message passing Tom Minka Microsoft Research Cambridge, UK with thanks

Divergence measures and message passing Tom Minka Microsoft Research Cambridge, UK with thanks

Divergence measures and message passing Tom Minka Microsoft Research Cambridge, UK with thanks to the Machine Learning and Perception Group 1 Message-Passing Algorithms MF [Peterson,Anderson 87] Mean-field BP [Frey,MacKay 97] Loopy

458 views • 42 slides
Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall

Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall

Message passing and channels INF4140 - Models of concurrency Message passing and channels Fall 2016 17. Oct. 2016 Outline Course overview: Part I: concurrent programming; programming with shared variables Part II: distributed

847 views • 41 slides
Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing

Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing

Introduction to Parallel Computing Irene Moulitsas Programming using the Message-Passing Paradigm MPI Background MPI : Message Passing Interface Began in Supercomputing 92 Vendors IBM, Intel, Cray Library writers PVM

876 views • 38 slides
CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach

CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach

CSE-505: Programming Languages Lecture 21 Synchronous Message-Passing and Concurrent ML Zach Tatlock 2016 Message Passing Threads communicate via send and receive along channels instead of read and write of references Not so

626 views • 13 slides
Interference Alignment via Message-Passing Message-Passing M. Guillaud Motivation Maxime

Interference Alignment via Message-Passing Message-Passing M. Guillaud Motivation Maxime

Interference Alignment via Interference Alignment via Message-Passing Message-Passing M. Guillaud Motivation Maxime GUILLAUD Communication Problem Interference Alignment Message-Passing GDL Min-Sum IA via Min-Sum Implementation

701 views • 46 slides
On the Interpolation of Product-Based Message Passing Heuristics for SAT Oliver Gableske 1 1

On the Interpolation of Product-Based Message Passing Heuristics for SAT Oliver Gableske 1 1

PMP i Goals Message Passing Interpolation and ISI Conclusions On the Interpolation of Product-Based Message Passing Heuristics for SAT Oliver Gableske 1 1 Institute of Theoretical Computer Science Ulm University Germany

684 views • 46 slides
Proving Copyless Message Passing Jules Villard 1 tienne Lozes 1 Cristiano Calcagno 2 1 LSV, ENS

Proving Copyless Message Passing Jules Villard 1 tienne Lozes 1 Cristiano Calcagno 2 1 LSV, ENS

Proving Copyless Message Passing Jules Villard 1 tienne Lozes 1 Cristiano Calcagno 2 1 LSV, ENS Cachan, CNRS 2 Imperial College, London ANR PANDA Sept. 10 PPS Outline Copyless Message Passing Language Highlights Contracts Local

1.08k views • 60 slides
Lifted Message Passing Rorschach Test K. Kersting 2 Lifted Message Passing GRAPHBOT@ ROS 2010

Lifted Message Passing Rorschach Test K. Kersting 2 Lifted Message Passing GRAPHBOT@ ROS 2010

GRAPHBOT 2010. IROS WORKSHOP ON PROBABILISTIC GRAPHICAL Sriraam Babak Fabian Scott Youssef El Natarajan Ahmadi Hadiji Sanner Massaoudi MODELS IN ROBOTICS Taipei, Taiwan, October 22. 2010 A E Kristian Kersting Lifted Message

431 views • 28 slides
Lecture 13 CSE 260 Parallel Computation (Fall 2015) Scott B. Baden Message Passing Stencil

Lecture 13 CSE 260 Parallel Computation (Fall 2015) Scott B. Baden Message Passing Stencil

Lecture 13 CSE 260 Parallel Computation (Fall 2015) Scott B. Baden Message Passing Stencil methods with message passing Announcements Weds office hours changed for the remainder of quarter: 3:30 to 5:30 Scott B. Baden / CSE 260, UCSD

629 views • 35 slides
c p e c Writing Message-Passing Parallel Programs with MPI 1 Edinburgh Parallel Computing

c p e c Writing Message-Passing Parallel Programs with MPI 1 Edinburgh Parallel Computing

Writing Message- Passing Parallel Programs with MPI c p e c Writing Message-Passing Parallel Programs with MPI 1 Edinburgh Parallel Computing Centre Getting Started c p e c Sequential Programming Paradigm M Memory P Processor c p e

1.08k views • 64 slides

More recommend